Introduction to CPIX

CPIX is an open specification developed by DASH-IF that offers support for all major DRM systems and playout formats. The idea behind CPIX is that it provides an interoperable, XML-based format to exchange content protection configurations between different systems that need to interact within a video streaming setup. USP follows the CPIX 2.1 specification.

Ideally, a DRM provider supplies a CPIX document, which can then be used as input for Unified Origin; see Command-line options for specifying CPIX document URLs for the various contexts in which you can use a CPIX document with Origin. If your DRM provider does not (yet) supply a CPIX document, it is possible to create one yourself.


We do not recommend the use of CPIX documents unless required for advanced use cases such as different DRMs / KID:CEKs per playout format, multiple keys and key rotation. Not all use cases supported by our non-CPIX DRM options can be represented in a CPIX document. The use of CPIX documents in combination with non-CPIX based DRM options in a single server manifest is not supported.


There is no support for encryption, decryption and signing of CPIX documents or DRM keys as for instance outlined in sections 4.3.2 or 4.3.5 of the CPIX 2.1 specification. HTTPS should be used and if needed basic auth or digest may be added through the use of a proxy.

CPIX document structure

Minimum info necessary

To create a CPIX document, the minimum information necessary is:

  • ContentKey
    • Must have a Key ID (KID) used to identify the content and associate it with a the (secret) Content Encryption Key.
    • Must have a Content Encryption Key (CEK) used to encrypt the content with.
  • DRMSystem
    • Must have a System ID which represents a specific DRM system such as Microsoft PlayReady (see DASH-IF DRM system IDs).
    • Must have a Key ID which must refer to an existing Content Key's KID.
    • Optionally has a Protection System Specific Header (PSSH). Depending on the DRM system, contains protection information such as such as licenses, rights, and license acquisition information.
    • Optionally has ContentProtectionData used for signaling DRM in the MPEG-DASH playout manifest.
    • Optionally has HLSSignalingData used for signaling DRM in the Apple HLS Manifest.
    • Optionally has SmoothStreamingProtectionHeaderData used for signaling DRM in the Microsoft Smooth Streaming playout manifest.
    • Optionally has HDSSignalingData used for signaling DRM in the HTTP Dynamic Streaming playout manifest.

Minimal CPIX example

The following example shows a minimal CPIX document:

<?xml version='1.0' encoding='UTF-8'?>
<CPIX xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xsi="" xmlns="urn:dashif:org:cpix" xsi:schemaLocation="urn:dashif:org:cpix cpix.xsd">
    <ContentKey kid="e82f184c-3aaa-57b4-ace8-606b5e3febad">
    <!-- Widevine -->
    <DRMSystem kid="e82f184c-3aaa-57b4-ace8-606b5e3febad" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
  • The document's <ContentKeyList> contains a single <ContentKey> element with key ID e82f184c-3aaa-57b4-ace8-606b5e3febad (line 4).
  • The base64-encoded CEK for this key ID is wvr2bihSzExKdR8KKpQf2w== (line 7).
  • The document's <DRMSystemList> contains a single <DRMSystem> element. It is used for the <ContentKey> element above (e82f184c-3aaa-57b4-ace8-606b5e3febad) in combination with the Widevine (edef8ba9-79d6-4ace-a3c8-27dcd51d21ed) DRM system (line 14).
  • The base64-encoded PSSH DRM information for Widevine is listed in line 15.
  • The base64-encoded <ContentProtectionData> which will be used for signaling the DRM in the DASH manifest is listed on line 16.
  • If the signaling for a specific playout format is not known, it is possible to request USP to generate it. To request generation, the signaling element must be present and empty, listed on line 17. For the full support list of generating signalings, see CPIX Signaling Behaviour
  • This document does not contain a <ContentKeyUsageRuleList> element, which is used to limit the use of a specific <ContentKey> based on track characteristics (see Using DRM with Multiple Keys), by timespan (see Using DRM with Key Rotation (HLS TS Only)), or both. The absence of any usage rules implies that a query of this document for encryption information will always select the only content key it contains.


  • It is possible to explicitly signal a Key Initialization Vector (IV) by adding an explicitIV attribute to a <ContentKey> element. The primary use of this is to enable the use of DRM systems that associate a single IV with each CEK and whose DRM client implementations are unable to extract the IV from the content, requiring the license server to deliver the IV together with the CEK upon request. Use of this attribute is not recommended except for compatibility with such DRM systems.
  • If you work with pre-encrypted content, it is not necessary to provide a CEK in your CPIX document as Unified Origin only requires a CEK to encrypt content and not for generating the necessary signaling.

The <HLSSignalingData> element

The optional <HLSSignalingData> sub-element of the <DRMSystem> element can be used to signal the DRM specific information that must be included in the HLS playlist. There can be up to two <HLSSignalingData> sub-elements, with one targeting the HLS variant playlist, and the other for the HLS master playlist. Origin uses the provided information as is and does not check it for consistency or correctness. This provides a lot of flexibility, but does not allow for any errors.

The information should include the #EXT-X-KEY tag and must be in base64 encoded binary format. It may contain multiple lines, allowing for extra lines with proprietary tags and values.

For example, fMP4 HLS with Widevine requires information in the HLS variant playlist:


For the HLS master playlist:


In CPIX, this must be stored as base64 encoded binary and signaled as:


Note how on line 6 the attribute playlist="master" indicates the signaling to be placed in the HLS master playlist.

Usage rules

As stated above, a CPIX document may contain a <ContentKeyUsageRuleList> that consists of a list of <ContentKeyUsageRule> elements. Usage rules limit the applicability of a particular <ContentKey>, identified by the rule's kid attribute, to a specific track or timespan.

Filter types

Each <ContentKeyUsageRule> element contains a number of filtering elements. There are different types of filtering elements; most filter types (<VideoFilter>, <AudioFilter>, <BitrateFilter>) limit the use a content key to a particular track as described in Using DRM with Multiple Keys. A <KeyPeriodFilter> limits to use of a content key to a particular timespan; see Using DRM with Key Rotation (HLS TS Only) for further details.


The <LabelFilter> element from the CPIX 2.1 specification is not supported.


Your CPIX document must be unambiguous; be sure to configure your filtering rules such that at most one content key is selected.

Known issues

There are some known issues in our current CPIX implementation: